For journalists, danger lurking in your email

This week, Morgan Marquis-Boire and Bill
Marczak of the University of
Toronto's Citizen Lab provided a disturbing
look into the likely use of a commercial surveillance program, FinFisher,
to remotely invade and control the computers of Bahraini activists. After the
software installs itself onto unsuspecting users' computer, it can record and
relay emails, screenshots, and Skype audio conversations. It was deployed
against Bahraini users after being concealed in seemingly innocent emails.

In one example decoded by Marquis-Boire's team, the message was
crafted to appear to be from Melissa Chan,
a journalist working for Al-Jazeera English. The attackers were using Chan's
reputation as a journalist to trick their victims into opening the document.

Chan now works for Al-Jazeera in Jerusalem, but when she was
a correspondent in China she was the target
of email attacks herself. In an attempt to take control of her real Gmail
address, a message was sent to her from someone implying they were connected to
China's "Jasmine revolution." The independent Bahraini newspaper Al-Wasat said it has been targeted with fake
messages from sources as well--not to deliver malware, but to trick
it into running false stories the government then used to try to discredit the
paper.

Fake email sources are relatively easy to imitate. The
"From" address used in the Bahraini attack was not Chan's own email
address, but a throwaway Gmail account that looked like an address
("[email protected]") Chan might conceivably use.

Broad caution with unknown correspondents is a defense: If
you don't download attachments and don't click on links in strange emails, you
aren't vulnerable to the hacking attacks these emails are designed to allow.
When I spoke to Chan about the attacks in her name, she noted that "many
people do not look at the email address, but just the 'Last Name, First Name.' ...
There were one or two times when I wasn't sure about the sender and I wrote
back asking them to identify themselves in a way I'd know was definitely
him/her."

That's a good technique, but it's even better if you can use
an alternative medium for your fact-checking. Use a phone call or instant
messaging to confirm a message before opening any attachment. If an attacker
has already used malware to take control of another users' computer, they may
have access to private information. They can also act as a "man in the
middle" online, relaying email questions and answers between two
unsuspecting correspondents--but able to spy or add their own fabrications. A
live phone call is harder to fake.

In terms of sophistication, it's hard to know what to think
of the Bahraini espionage revealed by Citizen Lab. In some ways, the masquerade
was clumsy--but, then, if it had been more convincing, it may have gone
unnoticed. We only see the results of unsuccessful espionage. Still, even that is
enough to see the damage being caused to the reputations of journalists and the
safety of their communications. Security services faking messages from real
journalists in order to spy on activists is a grave danger to press freedom.

Citizen Lab's analysis demonstrates that spyware supposedly
made for law enforcement purposes by the UK company Gamma International is
now being used in ways that no democratic society can tolerate. Gamma should
immediately reveal whether they have been selling this technology to the
Bahraini authorities and what it intends to do to prevent abuses from recurring.

San Francisco-based CPJ Internet Advocacy Coordinator Danny O’Brien has worked globally as a journalist and activist covering technology and digital rights. Follow him on Twitter @danny_at_cpj.